With little fanfare, Global Payments Inc. last week disclosed that the payment card networks had returned it their lists of processors compliant with the Payment Card Industry data-security standard (PCI) following remediation efforts the merchant processor began after the data breach it disclosed a year ago. Atlanta-based Global Payments also said that thanks in part to insurance reimbursements, it expects its final breach-related tab to total about $95 million, less than its earlier estimates that at one point were as high as $120 million.
The company reported the developments with its earnings statement for the third quarter of fiscal 2013 ended Feb. 28. Global said it now has reports on compliance, or RoCs, from all the major networks. Those RoCs lift a cloud that had hung over Global because they amounted to what was effectively probation. While the PCI Security Standards Council sets the PCI requirements, the card networks actually enforce them. If a processor sustains a data breach, the networks typically remove the company from their lists of PCI-compliant providers until they pass a new PCI assessment.
“I'm gratified to report that during the quarter, we returned to the worldwide lists of PCI-compliant companies,” chairman and chief executive Paul R. Garcia told analysts during the company’s quarterly earnings call. “This was a significant milestone and I am proud of the accomplishments of our team.”
Later in the call, an analyst said he wanted to confirm that “are we totally done at this point” with the breach?
“Yes,” replied chief financial officer David E. Mangum, though he said he wanted to “parse that just a little bit.”
“We are complete,” he said. “We are back on the list of PCI-compliant companies. We are processing. We are on, I believe, every list possible at this stage, all the way around the world from all the various entities.” Mangum added that “we still have some internal cleanup” that will generate some charges in the fiscal fourth quarter, “but our remediation activities are complete.”
Global has divulged few details about exactly how the breach it disclosed March 30, 2012, happened. What the company calls an “intrusion” affected one part of its North American payment card processing system. Last year the company said it believed data from no more than 1.5 million accounts were exposed. The intrusion also exposed personal information about some applicants for merchant accounts.
Global Payments recorded $84.4 million in net breach-related expenses in fiscal 2012. The company expects it will have spent another $20 million when it closes the books on fiscal 2013 on May 31. Global last year said it anticipated receiving a total of about $29 million in insurance reimbursements, and last week it was awaiting about $10 million under its policy. That will bring its final tab for the breach to about $95 million. In addition to beefing up security and the new PCI assessment, the costs include consulting and legal expenses, and any network fines or payments to card issuers to reissue compromised cards.
“I don’t know how they got compromised but I do think they made a concerted effort to beef up their security,” Avivah Litan, a security-technology analyst for Stamford, Conn.-based Gartner Inc., tells Digital Transactions News. “I’m sure the true story will never come out.”
Litan notes that because of Global Payments is one of the nation’s largest merchant acquirers, the card networks continued to accept transactions originating with Global’s merchants even though they had kicked the company off their lists of PCI-compliant processors. The same thing happened in 2009 when another leading acquirer, Heartland Payment Systems Inc., reported what became the card industry’s largest breach ever, one that potentially compromised 130 million accounts.
But back in 2005, a much smaller processor, CardSystems Solutions Inc., reported a breach that may have exposed 40 million card accounts, although fraud was confirmed on only about 200,000, according to a 2010 report from the Privacy Rights Clearinghouse. Visa Inc. responded by saying it planned to cut off CardSystems’ access to its network, a move that effectively amounted to the kiss of death for CardSystems as an independent company.
“This processor [Global] was too big to put out of business, so Visa and MasterCard worked to keep them in business,” says Litan.
Global reported net income of $58.5 million in the third quarter, up 1% from $57.9 million a year earlier, on revenues of $578.7 million, up 8% from $533.5 million.